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other international IT governance and risk disclosure codes. We employed a 
qualitative content analysis technique and found that 32 of the top 40 JSE-listed 
entities (80%) completely complied with King IV and other international 
standards. In contrast, eight of the top forty JSE-listed businesses (20%) partly 
complied. Moreover, 79% (19/24) of provisions in King IV are similar to that of 
the international standards, while 21% (5/24) differ. The findings imply that most 
of the top 40 JSE-listed firms are protected from the consequences of non- 
compliance with IT risks and governance disclosure, such as going concern risk, 
fraud, and data manipulations. We also confirmed that King IV provisions 
regarding IT risks and governance aligned substantially with global standards, 
enhancing multinational firms' implementation of efficient IT risks and 
governance. 
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INTRODUCTION 

Modern organizations use technology (IT) in their operations as IT application systems have 
improved company communication, data storage, processing, protection, and real-time business 
process integration. Further, IT equipment is prevalent in contemporary entities! offices, industries, 
schools, and business processes, and this has caused significant changes in the company and 
individual behavior and communication (Jusufi, 2013). For instance, business usage of computer 
application systems has enhanced productivity and efficiency, but it also poses concerns that might 
threaten a company's viability (Marx & Hohls-du Preez, 2017). It is argued that organizations that 
aggressively adopted IT application systems have reaped the benefits leading to success. For this 
reason, companies must stay abreast of evolving changes in IT application systems (Marx et al., 
2016). 

Additionally, IT, risk management, and governance help firms connect objectives to the 
strategic vision and accomplish business goals (Pirta & Strazdina, 2012). In the same line of thought, 
IT applications help managers streamline corporate operations and decision-making. Interesting to 
note that artificial intelligence has expanded the usage of IT application systems and is crucial to an 
organization's operations and yearly financial reporting. In this regard, IT application solutions 
conduct transactions uniformly, avoiding manual system mistakes and improving financial report 
reliability (Ngwenya, 2015). Nevertheless, IT application systems usage exposes firms to complex 
dangers that might threaten their going concern ability (Marx & Hohls-du Preez, 2017). 
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IT risks pose a substantial threat to the continuous existence and operations of an organization. 
In addition, an organization's compliance with IT and risk governance is seen as a crucial instrument 
for enhancing its operations and continued existence. IT governance and its associated risks directly 
affect an organization's capacity to continue operations since these risks impair the efficient 
operations of IT systems and data inside the system. The going concern risk posed by IT risk in 
business is troublesome. The absence of IT governance and risk disclosure compliance with King IV 
by those responsible for governance will increase the likelihood of non-compliance by an 
organization. Inadequate IT governance exposes a corporation to significant risks, such as financial 
loss and the loss of crucial data, which may result in considerable reputational harm, legal 
exposures, and a loss of stakeholder and investor trust. IT governance failure hurts the company's 
performance and is likely to influence the choices of investors and other stakeholders (Marx et al., 
2016). It is essential to establish the degree to which organizations comply with King IV disclosure 
obligations for IT and risk governance. 


Existing research on King II and King III shows that disclosing IT governance and risks assures 
stakeholders and investors to make economic choices. It is because disclosure will enable investors 
and stakeholders to understand the company's IT and information systems governance and risks. 
There is, however, very little literature on the recently published King IV; therefore, this research 
analyzed King IV's IT governance and risk disclosure compliance by the top 40 JSE-listed firms. 
Examining and analyzing entities' King IV governance compliance is crucial since JSE may suspend 
their listing if they do not. This study focused on the top 40 JSE-listed companies mainly because it 
accounts for 80% of market capitalization (Baker et al., 2016; Barr et al., 2007; Kotze, 2017; Marx & 
Mohammadali-Haji, 2014; Marx & Voogt, 2010; Pholohane et al., 2020). The paper contributes to the 
discussion on King IV disclosure standards for IT governance and risk management in corporate 
reporting by public companies and the discussion on stakeholder theory. 

The following sections of this paper provide a synopsis of the literature review, including the 
theoretical and empirical analysis. Furthermore, a summary of the methodology and analysis 
method used in the study will be discussed. Lastly, the results and implications of the findings will 
be presented, as well as the conclusion. 

Theoretical Framework. A stakeholder theory was considered in the context of this study. 
Stakeholder theory was defined by Abraham and Shrives (2014) as how an organization makes 
voluntary disclosures aimed at managing and influencing stakeholders' and investors' decision- 
making. Organizations use the disclosure of both financial and non-financial information to 
influence stakeholder discernment. Important organizational stakeholders have a more significant 
influence, which may result in increased disclosures. An entity's disclosure of its IT governance and 
risks is critical to the stakeholders, shareholders, and investors to assess its ability to maximize the 
use of IT applications to increase operating efficiency and minimize the risks exposed. To make 
informed economic decisions, stakeholders rely on information disclosed by entities in the annual 
reports and integrated reports. Therefore, an entity's compliance with King IV disclosure 
requirements on IT governance and risks is crucial to stakeholders. 

Empirical Review, Information Technology. Information technology is now a vital resource 
for all businesses; it is crucial to gathering and processing data and supporting operational decisions 
and the long-term goals of an organization (Mangalaraj et al., 2014). The ongoing industrial 
revolution has led to an increase in the use of IT in business operations, financial reporting, and 
auditing (Byrnes et al., 2012). The internet, which has eliminated international barriers and created 
an immediate world, has been the most carefully researched advancement in information 
technology (Marx & Hohls-du Preez, 2017). The internet has allowed for the interchange of 
information between many parties, such as buyers and sellers, service providers, and customers, 
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thus bringing the world closer together and allowing for real-time information sharing and 
distribution (Marx & Hohls-du Preez, 2017). 

IT is recognized as the most crucial pillar for an organization's performance and, as a result, 
affects how an organization creates value, giving it a competitive advantage (Elazhary et al., 2022). 
IT use improved the speed, accuracy, and quality of organizational processes, which improved the 
efficacy and efficiency of providing goods and services to clients (Tohidi, 2011). Information and 
technology pervade all organizational mechanisms and processes, making it an operational enabler 
and a valuable asset. IT, as a strategic asset of an organization, should be governed and controlled 
to ensure that it helps the organization achieve its strategic goals (Hohls-du Preez, 2016). 
Organizations that have embraced the use of IT aim to reduce IT costs, keep IT risks to a minimum, 
and adhere to IT regulations and legislation (Mangalaraj et al., 2014). 


Information Technology Risks. Risks in information technology can also be described as any 
incident or activity that can result in the loss or destruction of computer hardware, software, data, 
or information (Hohls-du Preez, 2016). The execution and processing of the information may be 
subject to risks such as unauthorized disclosure, modifications to or destruction of data, inadvertent 
mistakes and exclusions, interruptions connected to IT, blunders, and a lack of professional due care 
(Parent & Reich, 2009). The rapid rise of e-commerce and commercial operations has increased 
dependency on IT resources, exposing firms to numerous critical risks, problems, and dangers such 
as cyber security, hacking, and going concerns (Marx, 2009; Schutte & Marx, 2018). Additionally, the 
board of directors and executive management are responsible for informing stakeholders about the 
IT-related risks to which an organization may be exposed and how these can damage the company. 
IT risks are reduced when IT governance is appropriately applied. It is crucial to disclose these risks 
in integrated reports so stakeholders can understand how IT resources are used efficiently and how 
risks are tracked and managed to meet organizational strategic goals. 

Some of the IT risks that organizations are exposed to because of adopting IT application 
systems in their operations were recognized by Marx and Hohls-du Preez (2017), Parent and Reich 
(2009), and (Schutte & Marx, 2018), and some them include the following: 

1. IT competence risks 

2. IT governance risks 

3. IT infrastructure risks 

4. IT business continuity risks 

5. Data security risks 

6. IT access risks 

7. IT integrity risks 

8. IT failures and disruption of IT systems 
9. Social networking risks 

10. Malware and cyber attacks 

Organizations should inform their stakeholders and investors about the risks they incur when 
utilizing IT applications, how these risks can affect their operations, and how they can be effectively 
controlled. The study aimed to determine if the integrated governance reports intended to give 
stakeholders and investors the information they need to make investment decisions and disclose the 
risks that entities are exposed to when utilizing IT applications. The failure of the board and 
executive management to disclose the risks that are exposed to entities constitutes a governance 
failure and may result in a violation of the King IV code of corporate governance as well as the 
requirements for JSE listing. 
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Information Technology Governance. IT governance is the process of examining, assessing, 
and guiding an organization's plans to use IT systems and resources to help it accomplish its goals 
while minimizing risks related to the use of IT resources (Pa et al., 2015; Selig, 2018). Establishing 
procedures, structures, and interaction mechanisms that allow the entity and IT professionals to 
carry out their tasks to generate value and accomplish the entity's goals is a crucial component of 
corporate governance handled by the board of directors. Moreover, IT governance should be seen 
in collaboration because IT is linked to other assets, emphasizing the management and use of IT 
resources to fulfill an organization's goals (Pa et al., 2015). Along with meeting the standards for IT 
governance risk disclosure, IT governance also seeks to ensure that IT operating systems align with 
the organization's strategic goals (loD, 2016). An essential component of business operations is IT 
governance, which allows an organization to manage its IT application systems to generate and 
deliver value to the company while reducing the risks to which these systems expose the company 
(Rubino et al., 2017). 

Numerous frameworks have been developed to assist the board of directors in managing IT 
governance, such as COBIT 5, COSO, and various ISO/IEC standards (numbered 1 through 4). These 
frameworks have been discussed in publications by De Haes et al. (2013) and Jordaan (2019). Other 
laws and guidelines have also been created in various nations, such as the Sarbanes-Oxley Act (SOX), 
which was created in the United States to provide organizations with guidance on matters of 
corporate governance, and the King IV code of corporate governance which was designed to provide 
guidelines to both listed and unlisted entities (Ngwenya, 2015) 

Information Technology Risk Management. Risk management is described as detecting 
exposures and risks inside an entity's structure and developing policies and procedures to reduce 
the impact on the utilization of IT resources (Gheorghe, 2010). Risk management is an essential 
component of IT governance, and COBIT 5 incorporates the basic principles of IT risks into the IT 
governance framework (Debreceny, 2013). In addition to being a crucial part of corporate 
governance, King IV, and the Companies Act, risk management is critical to a corporation since the 
company strategy should align with business risks, particularly IT risks (Raemaekers & Maroun, 
2014). Risk management enables IT managers and senior management to balance protecting IT 
application systems and an organization's capacity to meet goals with business operations, expenses, 
and strategic objectives (Tohidi, 2011). IT risk management consists of risk analysis, which deals 
with obtaining information on risk exposures, and risk management, which deals with monitoring 
and controlling the risks found during the risk analysis to ensure that they remain acceptable 
(Hardy, 2005). Risk management and disclosure of IT risks are crucial because it guarantees that all 
stakeholders transparently receive information (Hohls-du Preez, 2016). King IV's principle 11 makes 
it clear that the board of directors must oversee and manage technology and information in a way 
that aids in defining important objectives and accomplishing strategic goals (IoD, 2016). 

Information Technology Governance & Risk Disclosure Literature. Numerous research on 
the compliance of South African JSE-listed firms with IT governance and risk disclosure regulations, 
as well as risk management and disclosures, can be found in the academic literature. Van Vuuren 
(2006) evaluated the disclosure of risk management policies in financial statements and found that 
33% of the enterprises surveyed conformed with King II governance and risk disclosure standards, 
which included IT (Marx et al., 2016). Researched the information technology governance disclosure 
compliance of JSE-listed businesses and discovered that IT plays a crucial role in facilitating business 
operations. While IT application systems are critical to an organization's success, their fast evolution 
has exposed them to new dangers that should be mitigated using good IT governance (Marx et al., 
2016). Marx et al. (2016), in their study, reported that 47% or 19 of 40 organizations were utterly 
compliant; 15%, or five companies, were moderately compliant; and 38%, or 15 companies, did not 
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comply with King III's IT governance and risk management disclosure requirement. The results of 
Marx et al. (2016) on IT governance and risk disclosure substantially improved over the earlier 
research conducted by Van Vuuren (2006), which revealed that just 33% of listed businesses 
complied with King II risk governance disclosure criteria. 


Ngwenya (2015) examined the Information Technology Governance disclosure of the top 40 
JSE-listed companies' compliance with King III IT governance requirements in 2015 and concluded 
that only 40% of the companies complied fully, 25% partially, and 35% did not comply with any of 
the IT governance disclosure requirements. The author suggested that a company's board of 
directors and top management may need to comprehend or interpret the King II code's disclosure 
obligations on IT governance and risks, resulting in non-compliance or incomplete compliance. 
According to Van Vuuren (2020), all the top 40 JSE-listed businesses that were examined declared 
all 17 King IV principles in their annual reports, complying with the King IV principles of good 
corporate governance. However, these organizations announced and published conformity with 
King IV's principles primarily to meet JSE listing requirements rather than value creation and good 
governance as envisioned by King IV (Van Vuuren, 2020). 

Much emphasis has been placed on the King II and King III Codes of Corporate Governance, 
IT governance, and risk disclosure in the literature; moreover, there needs to be more literature about 
companies' compliance with the updated King IV IT governance and risk disclosures. This research 
attempted to fill the gap by analyzing the compliance of the top 40 JSE-listed companies with the 
recently adopted King IV guidelines on IT governance and risk disclosure. 

King IV IT Governance and Risk Disclosures. King IV describes corporate governance as the 
board of directors’ ethical and effective leadership in developing a good culture based on principles, 
exceptional performance, legitimacy, and effective management of an organization (IoD, 2016). King 
IV increased the importance of IT governance, IT security governance, and IT risk management and 
incorporated information technology governance as a need for corporate governance for a business 
(Jordaan, 2019). The Johannesburg Stock Exchange (JSE) has mandated that all firms listed adhere 
to the principles and suggestions of good corporate governance outlined by King IV (JSE, 2017). 

The board of directors is required by King IV principle 12 to manage and administer the firm's 
information technology in a way that assists the company in achieving its strategic objectives (IoD, 
2016). King IV made a clear recommendation that the board of directors should assume full 
responsibility for the governance of information technology by establishing the framework for how 
information technology and its risks should be managed in a firm to meet its strategic and 
operational goals. Moreover, the board is responsible for overseeing the integration of information 
technology risks into the company's risk management as well as identifying and responding to 
threats such as cyber-attacks and sufficient disclosure thereof to enable stakeholders to assess and 
evaluate the quality of an organization's governance structure (IoD, 2016). Additionally, King IV 
principle 11 demands that the board of directors manage and oversee the firm's risks in a way that 
helps the organization accomplish its goals (loD, 2016). 


METHODS 

Data Sources and Sample. The researcher extracted data from 2021 integrated, sustainability, 
and corporate governance reports from the top 40 JSE-listed company websites. A quota sample of 
JSE's top 40 listed companies was selected and used in the analysis. The list of the top 40 JSE-listed 
entities used was obtained from the JSE index, supported by the money web markets website and 
Sharenet JSE indices. The top 40 companies listed on the JSE are regarded as the top performers and 
the prominent market drivers in South Africa (Mamaro & Tjano, 2019). The FISE/JSE top 40 index 
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consists of the 40 largest entities in the South African FTSE/JSE all-share index based on total market 
capitalization (Pholohane et al., 2020; Russell, 2010). 

Furthermore, the top 40 JSE index comprises over 80% of the market capitalization of all listed 
firm shares, making them of enormous public interest and often debated on public financial venues 
(Kotze, 2017; Van Zijl & Hewlett, 2022). FTSE/JSE-listed companies must issue integrated corporate 
governance, and sustainability reports, including risk and governance reports. Therefore, in this 
study, the researcher analyzed how companies comply with King IV criteria for IT governance and 
risk disclosure using these reports. 


Empirical Analysis. This study used qualitative content analysis to analyze the annual reports 
and assess the extent of IT and risk governance disclosures using a deductive reasoning approach, 
as the basic disclosure requirements and recommended practices already exist and are categorized 
using the developed checklist. In order to comply with King IV's disclosure requirements, the study 
utilized an interpretive methodology to analyze the IT governance and risk disclosures made by the 
top 40 companies listed on the JSE. In addition, a qualitative text analysis enabled the researcher to 
appreciate whether the suggested IT risk governance and management disclosures were made. 
Moreover, a qualitative approach based on content analysis was used to identify similarities and 
differences in IT governance and risk disclosure requirements between King IV, COBIT 5, 
International Organisations for Standards (ISO 27002, 38500), Sarbanes-Oxley Act, and International 
Standards of Auditing 315, as well as likely recommendations on IT governance and risk disclosure 
that have the potential to improve King IV provisions. 

The researcher used secondary data because the information used in the analysis was already 
published in integrated/annual reports, sustainability reports, and corporate governance reports 
accessible via the company websites. The 2021 annual/integrated reports of the top 40 listed 
companies on the JSE were subjected to qualitative content analysis since they disclose the IT 
governance and risk management practices. IT governance and risk management disclosure 
checklist were designed to address the research objective based on the empirical study on King IV 
around IT risk governance and management disclosure practices. A disclosure checklist was 
developed to extract the content from the integrated reports. The disclosure checklist was developed 
per King IV principles 11 and 12 and the recommended practices for effective IT and risk governance 
and management to assess if each organization used full disclosure, non-disclosure, or obscure 
disclosure. The checklist was divided into two stages for testing: 

Stage 1 of the checklist consisting of "Yes," "No," and "Obscurely" was applied to analyze the 
extent of disclosure by companies relating to IT risk governance and management disclosures as per 
King IV. 

Stage 2 was simultaneously used to assess whether IT risk governance and management 
practices have been applied. As per King IV, the test included Yes", "No," and not fully applied/ 
partially applied. The disclosure checklist which was designed and used in this study is presented 
below; 


Table 1: IT & Risk Governance Disclosure Checklist Was Designed as the Measuring Instrument. 


STAGE 2 Test 
STAGE 1 Test 
King IV 
DISCLOSURES APPLICATION 
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No King IV Recommended Practices 
Category (IODSA, 2016) Yes No Obscurely 


Yes No Partial 


The board of directors should be 
responsible for IT governance by 
setting the direction on how IT 
should be addressed in a company. 


1 IT Governance 


The board of directors should 
2 IT Governance approve a policy that articulates and 
gives effect to the set direction on the 
employment of IT. 
The board of directors should 
delegate to management to 
implement and executive an IT 
governance framework. 


3 IT Governance 


The board of directors should ensure 
that IT is aligned with the 
performance and sustainability 
objectives of the company. 


4 IT Governance 


The board of directors should 
exercise an ongoing oversight of IT 
5 IT Governance Management to ensure alignment 
and integration of IT risks into 
organization-wide risk 


The board of directors should 
exercise an ongoing oversight of IT 
management to ensure proactive 
monitoring of intelligence to identify 
and respond to incidents, including 
cyberattacks and adverse social 


6 IT Governance 


The board of directors should 
exercise an ongoing oversight of IT 
management to ensure management 
of the performance of and the risks of 
third-party outsourced services. 


7 IT Governance 


The board of directors should 
monitor and evaluate significant IT 
investments and expenditures. 


8 IT Governance 


The board of directors should 
exercise an ongoing oversight of IT 
management to ensure ethical and 
responsible use of IT and compliance 
with relevant laws and standards. 


9 IT Governance 
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The board of directors should 
exercise an ongoing oversight of the 
management of IT to ensure that IT 
systems support confidentiality, 
integrity, and availability of 
information. 

The board of directors should 
exercise an ongoing oversight of the 
management of IT to ensure the 
protection of privacy of personal 
information, security of information, 
and protection of IT assets. 


IT Governance 


IT Governance 


The board of directors should ensure 
the disclosure of an overview of its 
governance and management of IT. 

The board of directors should ensure 
the disclosure of key areas, including 
objectives, significant changes in 
policy, and risks, including major 
incidents and significant risks 
exposed due to IT application 


IT Governance 


IT Governance 


The board of directors should ensure 
the disclosure of actions taken to 
monitor the effectiveness of IT 
management and governance and 
how the outcomes were addressed. 
The board of directors should 
assume the responsibility to govern 
risk or through a dedicated 
committee by setting direction for 
how risks should be approached and 
addressed in the organization, 
including the risks' potential positive 
and negative effects in achieving 


The board of directors should treat 
Risk risks as integral to the way it makes 
decisions and execute its duties, as 
well as approve policies that 
articulate and gives effect to its set 
direction on risks. 


The board of directors should 
Risk delegate management the 
Governance responsibility to implement and 
& Management execute effective risk management 
and governance. 


IT Governance 


Risk 
Governance 
& Management 


Governance 
& Management 
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should 


Risk aa 
18 Governance Willing to take in pursuit of its 
& Manasement strategic objectives, which includes 

g ii : 

limiting potential the 
organization due to FT risks and 
approving the organization's risk 
The board of directors should 
consider allocating the oversight role 
19 Risk of risk governance to a dedicated 

Governance committee which the audit 

& Management committee. 

The board of directors should 
exercise ongoing oversight of risk 
the 

Risk i. Assessment of risks 

20 Governance ii. Assessment of opportunities 

& Management presented by risks 

iii. The integration and embedding 
of risk management in the 
business activities and culture 

of the organization. 
The board of directors should ensure 

Risk the disclosure of the nature and 

21 Governance extent of the risks and an overview 

& Management of the arrangements for governance 
and managing risk. 

The board of directors should ensure 
the disclosure of the key risks that 

Ri the organization faces, as well as 

isk i 
undue, unexpected, or unusual risks, 
22 Governance . 

& Management as well as the actions taken to 
monitor the effectiveness of risk 
management and how the outcomes 
were addressed. 

RESULT AND DISCUSSION 


This section provides findings, a discussion of the results and implications of how the top 40 
JSE-Listed firms complied with IT risks and governance disclosure as contained in the King IV 
governance code as well as the alignments of King IV provisions with other international codes such 
as (ISO 38500), Sarbanes-Oxley Act (SOX), and International Standards of Auditing 315 (ISA 315). A 
summary of key findings and implications of the research focus is presented below: 


Figure 1 and Table 2 below showed that most of the top 40 listed entities have disclosed and 


applied the King IV principles and recommended practices, demonstrated by an above 80% 
disclosure compliance on each practice. In contrast, the results also revealed that only some 
companies under 20% obscurely disclosed, which resulted in the partial application of the code of 
corporate governance practices on effective IT governance and risk management. 
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Top 40 JSE Listed Companies 


m Full Compliance 


m Partial Compliance 


Source: Designed by the researcher 
Figure 1: Overall disclosure on IT governance and risk management 


The current study has recognized significant improvement compared to previous research 
studies, indicating that companies have understood the simplified King IV corporate governance 
code. Compared to the previous research conducted by Ngwenya (2015), which found that 40% of 
organizations completely complied with King III, 25% partly complied, and 35% did not comply 
with King III's IT governance and risk management disclosure, this study demonstrates a substantial 
improvement. The significant improvement in disclosures mandated by King IV may also be 
attributed to the streamlined concepts and suggested "Apply and Explain" methods compared to 
"Apply or Explain" in King III. King III's "Apply or Explain" concept required a company to apply 
the code practices and, if not, explain why the recommended rules did not apply to the company. 
King IV's "Apply and Explain" concept stipulated that all principles and recommended practices 
should be supported by a detailed disclosure of how they were applied (IoD, 2016). 

A summary of key findings and results from each King IV recommended practice on principles 
11 and 12 has been presented below, indicating the percentage of company disclosures and 
application of King IV per each recommended practice on IT governance, risk governance, and 
management. 


Table 2: Results on IT & risk governance disclosure and application by top 40 listed entities 
King IV DISCLOSURES King IV APPLICATION 


No Category King IV Recommended Yes No Obscurely Yes No Partial 
Practices (IODSA, 2016) 


1 IT The board of directors 97% 0% 3% 97% 0% 3% 
Governance should be responsible 
for IT governance by 
setting the direction on 
how IT should be 
addressed in a company. 
2 IT The board of directors 95% 0% 5% 95% 0% 5% 
Governance should approve a policy 
that articulates and gives 
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IT 
Governance 


IT 
Governance 


IT 
Governance 


IT 
Governance 


IT 
Governance 


IT 
Governance 


IT 
Governance 


effect to the set direction 
on the employment of IT. 


The board of directors 
should delegate the 
responsibility to 
implement and execute 
an IT governance 
framework to 
management. 

The board of directors 
should ensure that IT is 
aligned with the 
performance and 
sustainability objectives 
of the company. 

The board of directors 
should exercise an 
ongoing oversight of IT 
management to ensure 
alignment and 
integration of IT risks 
into organization-wide 
risk management. 

The board of directors 
should exercise an 
ongoing oversight of IT 
management to ensure 
proactive monitoring of 
intelligence to identify 
and respond to 
incidents, including 
cyber-attack and adverse 
social media risks. 

The board of directors 
should exercise an 
ongoing oversight of IT 
management to ensure 
management of the 
performance and risks of 
third-party outsourced 
services. 

The board of directors 
should monitor and 
evaluate significant IT 
investments and 
expenditures. 

The board of directors 
should exercise an 
ongoing oversight of IT 
management to ensure 
ethical and responsible 
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11 


12 


13 


14 


15 


IT 
Governance 


IT 
Governance 


IT 
Governance 


IT 
Governance 


IT 
Governance 


Risk 
Governance 
& 
Management 


use of IT and compliance 
with relevant laws and 
standards. 


The board of directors 
should exercise an 
ongoing oversight of the 
management of IT to 
ensure that IT systems 
support confidentiality, 


integrity, and 
availability of 
information. 


The board of directors 
should exercise an 
ongoing oversight of the 
management of IT to 
ensure the protection of 
privacy of personal 
information, security of 
information, and safety 
of IT assets. 

The board of directors 
should ensure disclosure 
of an overview of its 
governance and 
management of IT. 

The board of directors 
should ensure disclosure 
of key areas, including 
objectives, significant 
changes in policy, and 
risks, including major 
incidents and significant 
risks exposed due to IT 
application systems. 

The board of directors 
should ensure disclosure 
of actions taken to 
monitor the effectiveness 
of IT management and 
governance and how the 
outcomes were 
addressed. 

The board of directors 
should assume the 
responsibility to govern 
risk or through a 
dedicated committee by 
setting direction for how 
risks should be 
approached and 
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addressed in the 
organization, including 
the risks' potential 
positive and negative 
effects in achieving 


objectives. 
16 Risk The board of directors 95% 0% 5% 95% 0% 5% 
Governance should treat risks as 
& integral to the way it 
Management makes decisions, 


executes its duties, and 
approve policies that 
articulate and give effect 
to its set direction on 


risks. 
17 Risk The board of directors 97% 0% 3% 97% 0% 3% 
Governance should delegate 
& management the 
Management responsibility to 
implement and execute 
effective risk 
management and 
governance. 
18 Risk The board of directors 95% 0% 5% 95% 0% 5% 
Governance should evaluate and 
& agree on the nature and 


Management extent of the risks an 
organization is willing to 
take in pursuit of its 
strategic objectives, 
which includes limiting 
potential loss to the 
organization due to IT 
risks and approving the 


organization's risk 
appetite. 
19 Risk The board of directors 97% 0% 3% 97% 0% 3% 
Governance should consider 
& allocating the oversight 
Management role of risk governance 
to a dedicated 


committee, the Audit 
and risk committee. 
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20 Risk The board of directors 95% 0% 5% 95% 0% 5% 
Governance should exercise ongoing 
& risk management 
Management oversight to ensure the 

following: 

i. Assessment of risks 

ii. Evaluation of 
opportunities and 
threats. 

iii. The integration and 
embedding of risk 
management in the 
business activities and 


culture of the 
organization. 
21 Risk The board of directors 97% 0% 3% 97% 0% 3% 
Governance should ensure the 
& disclosure of the risks' 
Management nature and extent and an 
overview of the 
governance and 
management 
arrangements. 
22 Risk The board of directors 97% 0% 3% 97% 0% 3% 
Governance should ensure the 
& disclosure of the critical 
Management risks that the 
organization faces, as 
well as undue, 


unexpected, or unusual 
risks, as well as the 
actions taken to monitor 
the effectiveness of risk 
management and how 
the outcomes were 
addressed. 


Table 3 displayed a detailed comparison indicating that most of King IV's recommended 
practices align with those of the international standards. Compared to the International Standards 
of Auditing (ISA 315), it became clear that some essential requirements related to IT systems and the 
internal control environment should be included in King IV and ISO 38500/ COBIT 5, resulting in a 
difference. Furthermore, compared to the SOX Act, the study found that some key requirements 
related to IT application systems and the internal control environment are not included in King IV, 
resulting in differences. For better execution of King IV, the Code of Corporate Governance of King 
IV should include the rules for safeguarding IT systems and internal controls as mentioned in ISA 
315, ISO 38500/ COBIT 5, and SOX Act. 

A summary of the detailed results comparing King IV with other international standards and 
regulations on IT governance and risk management disclosure practices and requirements are 
presented below with the implications. 
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Table 3: Results on IT governance and risk management disclosure requirements comparison 


IT governance & risk management disclosure 
requirements as per standards, regulations, and 
Acts 


King IV SOX 


(IoD, 
2016) 


Act, 2002) 


(IASB) 


COBIT 


(SOX ISA 315 ISO 38500/ 


5 


(ISO/IEC 
38500:2008) 


The board of directors should govern IT to support 
the organization in achieving its strategic 
objectives (King IV). 

The board of directors should approve a policy that 
articulates and gives effect to the set direction on 
the employment of IT (King IV). 

The board of directors should delegate to 
management the responsibility to implement and 
execute an IT governance framework (King IV). 
The board of directors should exercise an ongoing 
oversight of IT management to ensure alignment 
and integration of IT risks into organization-wide 
risk management (King IV). 

The board of directors should exercise an ongoing 
oversight of IT management to ensure proactive 
monitoring of intelligence to identify and respond 
to incidents, including cyber-attack and adverse 
social media risks (King IV). 

The board of directors should exercise an ongoing 
oversight of IT management to ensure the privacy 
of personal information security of information 
and IT assets (King IV). 

The board of directors should exercise an ongoing 
oversight of the management of IT to ensure that 
IT systems support confidentiality, integrity, and 
availability of information (King IV). 

The board of directors should exercise an ongoing 
oversight of IT management to ensure ethical and 
responsible use of IT and compliance with relevant 
laws and standards (King IV). 

The board of directors should monitor and 
evaluate significant IT investments and 
expenditures (King IV). 

The board of directors should ensure disclosure of 
key areas, including objectives, significant changes 
in policy, and risks, including major incidents and 
significant risks exposed due to IT application 
systems (King IV). 

The board of directors should ensure disclosure of 
an overview of its governance and management of 
IT (King IV). 

The board of directors should ensure disclosure of 
actions taken to monitor the effectiveness of IT 
management and governance and how the 
outcomes were addressed (King IV). 

The board of directors should treat risks as integral 
to the way it makes decisions, executes its duties, 
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and approve policies that articulate and give effect 
to its set direction on risks (King IV). 

The board of directors should consider allocating 
the oversight role of risk governance to a dedicated 
audit and risk committee (King IV). 

The board of directors should evaluate and agree 
on the nature and extent of the risks an 
organization is willing to take in pursuit of its 
strategic objectives, which includes limiting 
potential loss to the organization due to IT risks 
and approving the organization's risk appetite 
(King IV). 

The board of directors should ensure the disclosure 
of the nature and extent of the risks and an 
overview of the arrangements for governance and 
managing risk (King IV). 

The board of directors should ensure the disclosure 
of the key risks that the organization faces, as well 
as undue, unexpected, or unusual risks, as well as 
the actions taken to monitor the effectiveness of 
risk management and how the outcomes were 
addressed. (King IV). 

Access is authenticated through unique user IDs 
and passwords or other methods to validate that 
users are authorized to gain access to the system 
(ISA 315). 

Financial data are backed up regularly according 
to an established schedule and frequency (ISA 315). 
Management approves the nature and extent of 
user-access privileges for new and modified user 
access, including standard application 
profiles/roles, critical financial reporting 
transactions, and segregation of duties (ISA 315). 
Management should establish safeguards aimed at 
preventing data tampering (SOX 302.2). 
Management should establish verifiable controls to 
track data access (SOX 302.4B). 

Management should establish safeguards to 
ensure IT controls' effectiveness (SOX 302.4.D). 
Management should disclose data security 
safeguards and breaches to enable independent 
auditors to assess the effectiveness of the internal 
control structure and security framework (SOX 404 
A). 
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Effective IT governance and risk management practices enable a company to reduce going 
concern risk, preventing fraud and data loss, thus benefiting employees with guaranteed 
employment, the company's revenue and income growth, which may also increase the share price 
and shareholders' returns, as well as the South African economy through company contributions in 
the form of taxation and job creation. Effective corporate governance results in strong performance, 
efficient risk management, and accurate financial reporting, all of which encourage potential 
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investors to invest in the business and drive-up stock prices. Moreover, adherence to IT governance, 
risk management, and disclosure compliance shields a company from any violations of rules, 
regulations, and standards that might incur fines and penalties, primarily because full adherence to 
King IV is one of the JSE listing requirements. 

It is important to note that most of the King IV guidelines and principles for IT governance 
and risk management were aligned with global norms and standards, including ISO 38500, COBIT 
5, SOX, and ISA 315. The alignment is crucial because it helps multinational companies implement 
efficient IT and risk governance with their worldwide operations. Furthermore, aligning these 
principles may enable JSE-listed multinationals to comply with both King IV and other international 
standards on disclosure compliance relating to data loss prevention and data safeguards, which 
reduces non-compliance and liabilities associated with fines and penalties. In addition, the study 
revealed that a few principles identified in the different standards were not aligned. The implication 
of this non-alignment may result in multinational companies' non-compliance with other countries 
by these companies, which may result in financial consequences in the form of fines. Penalties cost 
as well as a data breach. Therefore, the study recommended that King IV include other principles 
identified in the international standards mainly relating to management responsibility for ensuring 
financial data backups, data safeguards, prevention of unauthorized access, and data tracking and 
security controls. 


CONCLUSION 

The study analyzed the extent the top 40 JSE-Listed firms complied with the Information 
Technology risks and Governance provisions in the King IV governance code. Also, King IV's 
provisions and other International codes provisions were compared. The qualitative content analysis 
technique was used, and the findings revealed that 32 of the top 40 JSE-listed entities (80%) 
completely complied with King IV and other international standards. In contrast, eight of the top 
forty JSE-listed businesses (20%) partly complied. Furthermore, 79% (19/24) of provisions in King 
IV are similar to that of the international standards, while 21% (5/24) differ. It implies that the 
majority of the companies within the bracket of top 40 JSE-Listed companies can be protected from 
the dangers of non-compliance with IT risks which include cyber-attacks, data breaches, IT system 
failure, social media risks, malware, IT data security risk, integrity risks, and the likes. Regarding 
the alignment of the King IV code with other international codes, the King IV code is substantially 
aligned. It creates a suitable environment for multinational firms to effectively and efficiently 
comply with IT risks and governance. 

Information technology's importance to organizations' operations should be emphasized. It 
assists in collecting and processing data and facilitating the attainment of strategic goals. IT is thus 
the most crucial aspect of a company's operations. However, the increased usage of IT application 
systems has exposed businesses to new hazards, necessitating good IT governance and risk 
management to protect firm data. Literature indicates that entities are subject to several IT risks, 
such as cyber-attacks, data breaches, IT system failure, social media, malware, IT data security, and 
integrity risks. These risks expose an entity to significant financial loss and essential information, 
which may lead to considerable reputational harm, legal claims, and a loss of stakeholder trust, 
undermining the company's capacity to continue as a going concern. Cyber-attacks, including 
ransom wares and malware, resulting in the loss of financial records and customer data, affecting 
the company's future operations, cash flow generation, and ability to continue as a going concern. 
However, IT system failures may cease commercial activities, resulting in a loss of income, clients, 
and an increase in operational expenses, impacting a company's capacity to continue as a going 
concern. The hazards outlined above need good governance and management of IT risk, which 
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attempts to decrease IT-related risks and the disclosure of these risks. In the integrated/annual 
reports, a company's approach to risk management is deemed crucial since it allows stakeholders to 
comprehend how IT resources have been used and how IT risks have been managed and controlled 
to reach the company's strategic goals. In their integrated reports, most of the organizations 
examined in this research acknowledged their IT risks and their risk management and governance 
methodology, while a minority provided just a portion of their IT risks and risk governance 
approach. The study examined the compliance of the top 40 JSE-Listed companies to the King IV 
code on IT risks and governance, extending the scope of previous research on IT risks compliance 
on King III. It provides evidence of assurance to potential investors on companies' compliance and 
enhances multinationals’ operations in terms of IT risk compliance. This research adds to the 
corporate governance literature in South Africa. Like other studies, the study had limitations. The 
study considers only the top 40 JSE-Listed firms. Further study can be done on the compliance of all 
JSE-Listed companies. 
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